2013-08-28 19:24:34 -04:00
|
|
|
[[modules-discovery-zen]]
|
|
|
|
=== Zen Discovery
|
|
|
|
|
|
|
|
The zen discovery is the built in discovery module for elasticsearch and
|
2015-08-20 03:38:42 -04:00
|
|
|
the default. It provides unicast discovery, but can be extended to
|
|
|
|
support cloud environments and other forms of discovery.
|
2013-08-28 19:24:34 -04:00
|
|
|
|
|
|
|
The zen discovery is integrated with other modules, for example, all
|
|
|
|
communication between nodes is done using the
|
|
|
|
<<modules-transport,transport>> module.
|
|
|
|
|
|
|
|
It is separated into several sub modules, which are explained below:
|
|
|
|
|
|
|
|
[float]
|
2013-09-25 12:17:40 -04:00
|
|
|
[[ping]]
|
2013-08-28 19:24:34 -04:00
|
|
|
==== Ping
|
|
|
|
|
|
|
|
This is the process where a node uses the discovery mechanisms to find
|
2015-08-20 03:38:42 -04:00
|
|
|
other nodes.
|
2013-08-28 19:24:34 -04:00
|
|
|
|
|
|
|
[float]
|
2013-09-25 12:17:40 -04:00
|
|
|
[[unicast]]
|
2013-08-28 19:24:34 -04:00
|
|
|
===== Unicast
|
|
|
|
|
Lazy resolve unicast hosts
Today we eagerly resolve unicast hosts. This means that if DNS changes,
we will never find the host at the new address. Moreover, a single host
failng to resolve causes startup to abort. This commit introduces lazy
resolution of unicast hosts. If a DNS entry changes, there is an
opportunity for the host to be discovered. Note that under the Java
security manager, there is a default positive cache of infinity for
resolved hosts; this means that if a user does want to operate in an
environment where DNS can change, they must adjust
networkaddress.cache.ttl in their security policy. And if a host fails
to resolve, we warn log the hostname but continue pinging other
configured hosts.
When doing DNS resolutions for unicast hostnames, we wait until the DNS
lookups timeout. This appears to be forty-five seconds on modern JVMs,
and it is not configurable. If we do these serially, the cluster can be
blocked during ping for a lengthy period of time. This commit introduces
doing the DNS lookups in parallel, and adds a user-configurable timeout
for these lookups.
Relates #21630
2016-11-22 14:17:04 -05:00
|
|
|
Unicast discovery requires a list of hosts to use that will act as gossip routers. These hosts can be specified as
|
|
|
|
hostnames or IP addresses; hosts specified as hostnames are resolved to IP addresses during each round of pinging. Note
|
|
|
|
that with the Java security manager in place, the JVM defaults to caching positive hostname resolutions indefinitely.
|
|
|
|
This can be modified by adding
|
|
|
|
http://docs.oracle.com/javase/8/docs/technotes/guides/net/properties.html[`networkaddress.cache.ttl=<timeout>`] to your
|
|
|
|
http://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html[Java security policy]. Any hosts that
|
|
|
|
fail to resolve will be logged. Note also that with the Java security manager in place, the JVM defaults to caching
|
|
|
|
negative hostname resolutions for ten seconds. This can be modified by adding
|
2016-11-23 10:02:13 -05:00
|
|
|
http://docs.oracle.com/javase/8/docs/technotes/guides/net/properties.html[`networkaddress.cache.negative.ttl=<timeout>`]
|
|
|
|
to your http://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html[Java security policy].
|
Lazy resolve unicast hosts
Today we eagerly resolve unicast hosts. This means that if DNS changes,
we will never find the host at the new address. Moreover, a single host
failng to resolve causes startup to abort. This commit introduces lazy
resolution of unicast hosts. If a DNS entry changes, there is an
opportunity for the host to be discovered. Note that under the Java
security manager, there is a default positive cache of infinity for
resolved hosts; this means that if a user does want to operate in an
environment where DNS can change, they must adjust
networkaddress.cache.ttl in their security policy. And if a host fails
to resolve, we warn log the hostname but continue pinging other
configured hosts.
When doing DNS resolutions for unicast hostnames, we wait until the DNS
lookups timeout. This appears to be forty-five seconds on modern JVMs,
and it is not configurable. If we do these serially, the cluster can be
blocked during ping for a lengthy period of time. This commit introduces
doing the DNS lookups in parallel, and adds a user-configurable timeout
for these lookups.
Relates #21630
2016-11-22 14:17:04 -05:00
|
|
|
|
2017-08-01 05:15:50 -04:00
|
|
|
It is recommended that the unicast hosts list be maintained as the list of
|
|
|
|
master-eligible nodes in the cluster.
|
|
|
|
|
Lazy resolve unicast hosts
Today we eagerly resolve unicast hosts. This means that if DNS changes,
we will never find the host at the new address. Moreover, a single host
failng to resolve causes startup to abort. This commit introduces lazy
resolution of unicast hosts. If a DNS entry changes, there is an
opportunity for the host to be discovered. Note that under the Java
security manager, there is a default positive cache of infinity for
resolved hosts; this means that if a user does want to operate in an
environment where DNS can change, they must adjust
networkaddress.cache.ttl in their security policy. And if a host fails
to resolve, we warn log the hostname but continue pinging other
configured hosts.
When doing DNS resolutions for unicast hostnames, we wait until the DNS
lookups timeout. This appears to be forty-five seconds on modern JVMs,
and it is not configurable. If we do these serially, the cluster can be
blocked during ping for a lengthy period of time. This commit introduces
doing the DNS lookups in parallel, and adds a user-configurable timeout
for these lookups.
Relates #21630
2016-11-22 14:17:04 -05:00
|
|
|
Unicast discovery provides the following settings with the `discovery.zen.ping.unicast` prefix:
|
2013-08-28 19:24:34 -04:00
|
|
|
|
|
|
|
[cols="<,<",options="header",]
|
|
|
|
|=======================================================================
|
|
|
|
|Setting |Description
|
|
|
|
|`hosts` |Either an array setting or a comma delimited setting. Each
|
2017-01-11 17:10:56 -05:00
|
|
|
value should be in the form of `host:port` or `host` (where `port` defaults to the setting `transport.profiles.default.port`
|
|
|
|
falling back to `transport.tcp.port` if not set). Note that IPv6 hosts must be bracketed. Defaults to `127.0.0.1, [::1]`
|
Lazy resolve unicast hosts
Today we eagerly resolve unicast hosts. This means that if DNS changes,
we will never find the host at the new address. Moreover, a single host
failng to resolve causes startup to abort. This commit introduces lazy
resolution of unicast hosts. If a DNS entry changes, there is an
opportunity for the host to be discovered. Note that under the Java
security manager, there is a default positive cache of infinity for
resolved hosts; this means that if a user does want to operate in an
environment where DNS can change, they must adjust
networkaddress.cache.ttl in their security policy. And if a host fails
to resolve, we warn log the hostname but continue pinging other
configured hosts.
When doing DNS resolutions for unicast hostnames, we wait until the DNS
lookups timeout. This appears to be forty-five seconds on modern JVMs,
and it is not configurable. If we do these serially, the cluster can be
blocked during ping for a lengthy period of time. This commit introduces
doing the DNS lookups in parallel, and adds a user-configurable timeout
for these lookups.
Relates #21630
2016-11-22 14:17:04 -05:00
|
|
|
|`hosts.resolve_timeout` |The amount of time to wait for DNS lookups on each round of pinging. Specified as
|
|
|
|
<<time-units, time units>>. Defaults to 5s.
|
2013-08-28 19:24:34 -04:00
|
|
|
|=======================================================================
|
|
|
|
|
Lazy resolve unicast hosts
Today we eagerly resolve unicast hosts. This means that if DNS changes,
we will never find the host at the new address. Moreover, a single host
failng to resolve causes startup to abort. This commit introduces lazy
resolution of unicast hosts. If a DNS entry changes, there is an
opportunity for the host to be discovered. Note that under the Java
security manager, there is a default positive cache of infinity for
resolved hosts; this means that if a user does want to operate in an
environment where DNS can change, they must adjust
networkaddress.cache.ttl in their security policy. And if a host fails
to resolve, we warn log the hostname but continue pinging other
configured hosts.
When doing DNS resolutions for unicast hostnames, we wait until the DNS
lookups timeout. This appears to be forty-five seconds on modern JVMs,
and it is not configurable. If we do these serially, the cluster can be
blocked during ping for a lengthy period of time. This commit introduces
doing the DNS lookups in parallel, and adds a user-configurable timeout
for these lookups.
Relates #21630
2016-11-22 14:17:04 -05:00
|
|
|
The unicast discovery uses the <<modules-transport,transport>> module to perform the discovery.
|
2013-08-28 19:24:34 -04:00
|
|
|
|
|
|
|
[float]
|
2013-09-25 12:17:40 -04:00
|
|
|
[[master-election]]
|
2013-08-28 19:24:34 -04:00
|
|
|
==== Master Election
|
|
|
|
|
2014-09-15 04:00:28 -04:00
|
|
|
As part of the ping process a master of the cluster is either
|
2013-08-28 19:24:34 -04:00
|
|
|
elected or joined to. This is done automatically. The
|
2017-11-02 11:52:10 -04:00
|
|
|
`discovery.zen.ping_timeout` (which defaults to `3s`) determines how long the node
|
|
|
|
will wait before deciding on starting an election or joining an existing cluster.
|
|
|
|
Three pings will be sent over this timeout interval. In case where no decision can be
|
|
|
|
reached after the timeout, the pinging process restarts.
|
|
|
|
In slow or congested networks, three seconds might not be enough for a node to become
|
|
|
|
aware of the other nodes in its environment before making an election decision.
|
|
|
|
Increasing the timeout should be done with care in that case, as it will slow down the
|
|
|
|
election process.
|
|
|
|
Once a node decides to join an existing formed cluster, it
|
2014-06-12 06:53:27 -04:00
|
|
|
will send a join request to the master (`discovery.zen.join_timeout`)
|
|
|
|
with a timeout defaulting at 20 times the ping timeout.
|
2014-09-15 04:00:28 -04:00
|
|
|
|
|
|
|
When the master node stops or has encountered a problem, the cluster nodes
|
|
|
|
start pinging again and will elect a new master. This pinging round also
|
2016-05-17 11:10:32 -04:00
|
|
|
serves as a protection against (partial) network failures where a node may unjustly
|
2014-09-15 04:00:28 -04:00
|
|
|
think that the master has failed. In this case the node will simply hear from
|
|
|
|
other nodes about the currently active master.
|
|
|
|
|
2016-03-24 12:10:45 -04:00
|
|
|
If `discovery.zen.master_election.ignore_non_master_pings` is `true`, pings from nodes that are not master
|
|
|
|
eligible (nodes where `node.master` is `false`) are ignored during master election; the default value is
|
|
|
|
`false`.
|
2015-08-07 11:30:36 -04:00
|
|
|
|
2016-03-04 13:45:49 -05:00
|
|
|
Nodes can be excluded from becoming a master by setting `node.master` to `false`.
|
2013-08-28 19:24:34 -04:00
|
|
|
|
2014-09-23 15:46:56 -04:00
|
|
|
The `discovery.zen.minimum_master_nodes` sets the minimum
|
2015-07-06 14:55:53 -04:00
|
|
|
number of master eligible nodes that need to join a newly elected master in order for an election to
|
2016-07-26 13:59:33 -04:00
|
|
|
complete and for the elected node to accept its mastership. The same setting controls the minimum number of
|
2015-07-06 14:55:53 -04:00
|
|
|
active master eligible nodes that should be a part of any active cluster. If this requirement is not met the
|
2017-04-19 10:49:13 -04:00
|
|
|
active master node will step down and a new master election will begin.
|
2015-07-06 14:55:53 -04:00
|
|
|
|
2017-04-25 16:51:58 -04:00
|
|
|
This setting must be set to a <<minimum_master_nodes,quorum>> of your master
|
|
|
|
eligible nodes. It is recommended to avoid having only two master eligible
|
|
|
|
nodes, since a quorum of two is two. Therefore, a loss of either master
|
|
|
|
eligible node will result in an inoperable cluster.
|
2013-08-28 19:24:34 -04:00
|
|
|
|
|
|
|
[float]
|
2013-09-25 12:17:40 -04:00
|
|
|
[[fault-detection]]
|
2013-08-28 19:24:34 -04:00
|
|
|
==== Fault Detection
|
|
|
|
|
|
|
|
There are two fault detection processes running. The first is by the
|
|
|
|
master, to ping all the other nodes in the cluster and verify that they
|
|
|
|
are alive. And on the other end, each node pings to master to verify if
|
|
|
|
its still alive or an election process needs to be initiated.
|
|
|
|
|
|
|
|
The following settings control the fault detection process using the
|
|
|
|
`discovery.zen.fd` prefix:
|
|
|
|
|
|
|
|
[cols="<,<",options="header",]
|
|
|
|
|=======================================================================
|
|
|
|
|Setting |Description
|
|
|
|
|`ping_interval` |How often a node gets pinged. Defaults to `1s`.
|
|
|
|
|
|
|
|
|`ping_timeout` |How long to wait for a ping response, defaults to
|
|
|
|
`30s`.
|
|
|
|
|
|
|
|
|`ping_retries` |How many ping failures / timeouts cause a node to be
|
|
|
|
considered failed. Defaults to `3`.
|
|
|
|
|=======================================================================
|
|
|
|
|
2014-02-11 12:56:56 -05:00
|
|
|
[float]
|
|
|
|
==== Cluster state updates
|
|
|
|
|
|
|
|
The master node is the only node in a cluster that can make changes to the
|
|
|
|
cluster state. The master node processes one cluster state update at a time,
|
|
|
|
applies the required changes and publishes the updated cluster state to all
|
2015-08-25 09:03:17 -04:00
|
|
|
the other nodes in the cluster. Each node receives the publish message, acknowledges
|
2015-08-25 10:14:08 -04:00
|
|
|
it, but does *not* yet apply it. If the master does not receive acknowledgement from
|
2015-08-25 09:03:17 -04:00
|
|
|
at least `discovery.zen.minimum_master_nodes` nodes within a certain time (controlled by
|
|
|
|
the `discovery.zen.commit_timeout` setting and defaults to 30 seconds) the cluster state
|
|
|
|
change is rejected.
|
|
|
|
|
|
|
|
Once enough nodes have responded, the cluster state is committed and a message will
|
2015-08-25 10:14:08 -04:00
|
|
|
be sent to all the nodes. The nodes then proceed to apply the new cluster state to their
|
2015-08-25 09:03:17 -04:00
|
|
|
internal state. The master node waits for all nodes to respond, up to a timeout, before
|
|
|
|
going ahead processing the next updates in the queue. The `discovery.zen.publish_timeout` is
|
|
|
|
set by default to 30 seconds and is measured from the moment the publishing started. Both
|
|
|
|
timeout settings can be changed dynamically through the <<cluster-update-settings,cluster update settings api>>
|
2014-09-15 04:00:28 -04:00
|
|
|
|
|
|
|
[float]
|
|
|
|
[[no-master-block]]
|
|
|
|
==== No master block
|
|
|
|
|
2015-03-20 10:58:16 -04:00
|
|
|
For the cluster to be fully operational, it must have an active master and the
|
|
|
|
number of running master eligible nodes must satisfy the
|
|
|
|
`discovery.zen.minimum_master_nodes` setting if set. The
|
|
|
|
`discovery.zen.no_master_block` settings controls what operations should be
|
|
|
|
rejected when there is no active master.
|
2014-09-15 04:00:28 -04:00
|
|
|
|
|
|
|
The `discovery.zen.no_master_block` setting has two valid options:
|
2014-11-04 08:27:22 -05:00
|
|
|
|
|
|
|
[horizontal]
|
|
|
|
`all`:: All operations on the node--i.e. both read & writes--will be rejected. This also applies for api cluster state
|
2014-09-15 04:00:28 -04:00
|
|
|
read or write operations, like the get index settings, put mapping and cluster state api.
|
2014-11-04 08:27:22 -05:00
|
|
|
`write`:: (default) Write operations will be rejected. Read operations will succeed, based on the last known cluster configuration.
|
2017-04-19 10:49:13 -04:00
|
|
|
This may result in partial reads of stale data as this node may be isolated from the rest of the cluster.
|
2014-09-15 04:00:28 -04:00
|
|
|
|
2016-07-27 14:02:56 -04:00
|
|
|
The `discovery.zen.no_master_block` setting doesn't apply to nodes-based apis (for example cluster stats, node info and
|
|
|
|
node stats apis). Requests to these apis will not be blocked and can run on any available node.
|